Introduction
Just-in-time (or) Privileged (or) On-demand access to servers is a common requirement for any industry to protect the asset against bad actors. Most of the times organisation struggle to implement Privileged Access Management(PAM) solution properly to secure the critical resources.
Organisation look for perfect solution to cater and satisfy the needs for all business users and most likely they will end up spending big money on PAM solutions or long delay time implementing the products or sacrificing user experience and the worst part is accepting the risk.
But the bad actors lurking on the public internet looking for options to exploit the industry because they will not wait for your PAM solution to be ready. But if you are in Azure Cloud you can make enable on-demand access like JIT for VM access but for on-premise and other clouds is different implementation and one of the option is to use Signed SSH certificates.
In this blog post, we can discuss about Signed SSH certificates using Vault. Most of the commands and details are sourced from Hashicorp Vault documentation.
SSH Signed Certificates
SSH signed certificates is simplest solution which is backed by PKI to sign your own local SSH keys to provide time based access. Some of the steps mentioned below can be automated using CI/CD tools.
Client Key Signing
In high level, sign your local public keys using Vault SSH client key signing and then access the target servers with expiration time. Steps involved to signing SSH keys using Vault (Demo purpose)
-
Start the Vault in Dev mode( Demo Purpose Only)
vault server -dev -dev-root-token-id="root"
-
Follow the steps from Vault site (https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates#signing-key-role-configuration)
-
Configure the Vault in CA signing mode and copy the Public key from output of below command
vault write ssh-client-signer/config/ca generate_signing_key=true
-
Copy the Public key to target UNIX servers and edit the sshd_config file to add the location of Public Key
# /etc/ssh/sshd_config # ... TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
-
Restart the SSH server to take effect of configuration.
-
Create Vault Role and whoever access the vault role can sign the own SSH keys and this is the place you can control who can sign the keys.
Client SSH Authentication
- Create the SSH keys for signing or use the existing ( mostly it will be located in ~/.ssh/id_rsa.pub)
- Sign the local public keys
vault write -field=signed_key ssh-client-signer/sign/my-role \ public_key=@$HOME/.ssh/id_rsa.pub > signed-cert.pub
- SSH into the host machine
ssh -i signed-cert.pub -i ~/.ssh/id_rsa ec2-user@IPaddress Of Server
Conclusion
It’s simplified implementation for the time-based access to UNIX servers using Vault. But other areas to consider to improve overall security posture of the solution like securing the vault and governance of Role assignment.
And its starting point to secure the critical infrastructure by provide JIT access and add additional layers of security using Host key signing with allowed host lists.
References:
- Useful material for Just-in-time access reading
https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview